Techno-Crime Institute

Driving and Inspiring The Evolution of Investigations

  • Home
  • About
  • Speaking
    • Meet Walt Manning
    • Speaking Topics
  • For Investigators
  • Blog
  • Free Content Library
  • Contact
  • Home
  • About
  • Speaking
    • Meet Walt Manning
    • Speaking Topics
  • For Investigators
  • Blog
  • Free Content Library
  • Contact
You are here: Home / The Techno-Crime Blog

Mobile Devices Might Be Your Biggest Technology Security Risk Today

March 26, 2020 by Walt Manning Leave a Comment

Security & Mobile Devices

Introduction

People throughout the world have had our lives changed in the past few weeks. I am sad for the individuals and families who have lost loved ones or friends from the global coronavirus pandemic.

Many people are now “sheltering in place,” working from home, or are experiencing other restrictions that have now become part of our “new normal.”

But our use of mobile devices doesn’t come without risk, and I want you to at least start thinking about that today.

Mobile devices do more for us each day, and most people can’t imagine living or working without them.

Nobody can doubt that mobile devices provide excellent features and convenience, as well as entertainment and increased business productivity.

But it’s easy to forget that mobile devices are pretty powerful computers, and you need to think about the security risks that come from using them.

Do you use your mobile device for anything you’d like to stay confidential or keep private?

Is there data transmitted by or stored on a mobile device that you want to keep secure?

The use of mobile devices is growing at unbelievable rates.

First, here are a few statistics:

  • There are now more connected mobile devices than there are people on earth.
  • Currently, in the U.S., there are approximately eight networked devices per person, a number expected to climb to 13.6 per person by 2022.
  • Nearly three-quarters of the world will use just their smartphones to access the internet by 2025.
  • In the U.S., roughly one-third of people (31 percent) use mobile banking more than any other app on their smartphone.

But the following will give you some background about the associated risks.

A Forbes magazine article, referencing the Verizon’s Mobile Security Index (MSI) 2020 Report, revealed that:

  • 54% of companies were less confident about the security of their mobile devices than that of their other systems.
  • 21% of organizations that were compromised said that a rogue or unapproved application had contributed to the incident.

A more in-depth review of the full Verizon report adds more thought-provoking information:

  • 83% of organizations were concerned about device loss or theft, and 20% of those felt that their defenses were inadequate.
  • Device operating systems are also a concern and often out of date. Almost half (49%) of enterprise devices are being used without any managed update policy.
  • According to Wandera, employees connect to an average of 24 Wi-Fi hotspots per week, and Netmotion found that the average device connects to two or three insecure Wi-Fi hotspots per day.

From a study produced by Aite at the request of Arxan, discussing mobile device vulnerabilities:

  • “There is no shortage of anecdotal evidence that hackers are actively seeking to leverage those vulnerabilities, such as the recent discovery in the wild of mobile malware that leveraged Androids’ accessibility features to copy the finger taps required to send money out of an individual’s PayPal account. The malware was posted on a third-party app store disguised as a battery optimization app. This mobile banking trojan was designed to wire US$1,000 out of an individual’s PayPal account within three seconds, despite PayPal’s additional layer of security using multifactor authentication.”
  • The study found three app categories with the highest number of vulnerabilities: retail banking, retail brokerages, and auto insurance.

Whether you are working remotely or not, let’s take a few steps to improve your mobile device security.

Mobile Device Threats

Are You Taking Risks Using Unsecured Wi-Fi?

Mobile device users routinely connect to the nearest or strongest available Wi-Fi network signal, and some may not even be aware of the significant security risks.

I have already written two blog posts about the use of Wi-Fi, so I won’t repeat that information in this one. Here are links to the previous posts, for your convenience:

This Is Possibly Your Biggest Techno-Crime Risk: What You Need to Know

How to Stay Safe on Public Wi-Fi

In addition to public Wi-Fi, if you now depend on your home router, you’ll need to make sure that it is also secure. Here’s a link with more information:

Do You Know Whether Somebody Has Already Hacked Your Home Network?

Should You Be Worried About Mobile Device Malware?

Mobile devices can be infected with malware, just like any computer.

A report from Check Point states that attacks against mobile devices in the first half of 2019 increased by 50% compared to 2018, with mobile banking apps being one of the primary targets.

Reports from multiple security companies document that the overwhelming majority of mobile malware targets Android devices. Still, anti-malware protection should be installed on every mobile device.

If your device is infected, mobile malware can:

  • Allow the attacker to wipe the device or alter data
  • Track your physical location in real-time
  • Surreptitiously turn on the device camera or microphone
  • Allow the developer complete access to all data stored on or transmitted by the device
  • Allow the developer to send text messages or make calls on the device
  • See text messages sent as part of 2-factor authentication systems
  • Change settings on the device
  • Convert the device into a node on a criminal botnet
  • Masquerade as an app from a legitimate financial institution to steal your financial data, including your login
  • Manipulate the screen so that it continues to show your valid transaction and expected balance, but not the real data
  • Recognize when you dial a financial institution 800 number and reroute the call to one of the attacker’s call centers
  • Connect to the company network, raising the possibility of infection on other machines

Do You Know All the Data You’re Giving Away to Your Mobile Apps?

Users who install apps on their mobile devices seldom read the Terms of Service agreement that comes with the app or the developer’s Privacy Statement.

But there are a significant number of apps that take advantage to permit themselves to do many things with your device and the data that it contains.

Most users are completely unaware that they have given away these rights.

The app developers are then free to sell the collected data to advertisers or any other interested party.

Apps may be allowed to collect and transmit:

  • The device manufacturer and model
  • The device serial number and IMSI number
  • Geolocation data
  • Browsing and search history
  • Demographic data
  • All contacts stored on the device

The Terms of Service may also give an app permission to:

  • Record audio through device microphone
  • Have full Internet network access via the device
  • Take photos or videos
  • Modify or delete the contents of data storage
  • Create accounts and set passwords
  • Send text messages
  • Read phone status and identity (includes call logs, phone signal, carrier, device ID, and phone number)
  • Connect and disconnect from Wi-Fi networks
  • Retrieve information about current and recently running apps on the device

Did You Already Know These Mobile Device Security Tips?

What can we do to secure our mobile devices against these problems and threats?

Here are a few essential recommendations:

  • Use a secure passcode on every mobile device
  • Configure the screen lock to engage after a minimal time with no activity
  • Use anti-malware and a firewall on every mobile device
  • Only connect with websites using HTTPS, but even that does not guarantee a secure connection
  • Use a VPN on every mobile device
  • Download and install apps only from approved app stores
  • Do not let sensitive apps remember your login user ID or password
  • Consider using encryption to protect any sensitive data stored on the device
  • Consider the use of an encrypted app to send text messages or make voice calls
  • Make sure to keep the operating system and all apps up to date at all times
  • Read the Terms of Service agreement for all apps and any associated Privacy Policy so you will know what permissions the apps require
  • Use a secure password manager
  • Do not use your fingerprint to access a mobile device
  • If not already available, consider the use of an app to locate your device if it is lost or stolen
  • When you sell or trade in an old device, make sure that your data is securely erased
  • Be very selective in choosing which apps can use location services
  • Turn off all unnecessary system services
  • Allow text, video, audio messages to expire rather than store them forever
  • Limit what diagnostic data is sent to the manufacturer, app developer or carrier whenever possible
  • Be careful what you sync with services such as iCloud, Dropbox, etc.
  • Control what notifications are displayed on your locked screen

I hope this post will help you understand some of the risks from your mobile devices, and help you begin to improve your security.

If you would like more details, go to the Free Content Library on our website. We’ve compiled a “Smart Home and Mobile Device Security Checklist,” which we are gladly providing at no cost.

This checklist doesn’t address all of the security issues you may face with mobile devices, but at least it gives you an excellent place to start.

Please share this information with co-workers, family, and friends to help everyone improve their security!

Filed Under: Uncategorized

Is Your New Smart Home Assistant Really Listening?

December 26, 2019 by Walt Manning 1 Comment

Alexa Listening

The short answer is, “probably, but you don’t know when.”

Smart home assistants like Amazon’s Echo/Alexa, Google Home, or the Apple HomePod were some of the most popular holiday gifts for the second year in a row.

All of these devices function by listening so they can respond to your questions or commands. For the Amazon products using Alexa, there are thousands of different “skills” available, which include everything from playing music to online banking.

Be aware that all of these devices collect data, even when the device’s “wake word” has not been used. Some of this data is reviewed by humans to “improve the quality” of service.

The convenience of these smart assistants is appealing and entertaining, and there have been both funny and dangerous incidents associated with their use.

Data from these devices has already been subpoenaed in litigation and criminal investigations, so be careful what you let them hear!

But today you are still relaxing and enjoying the holidays, so I’ll save those more specific privacy and security topics for a post later next year.

If you have any of these devices, here are some brief suggestions that you can put to use immediately:

  • Think about where you place the device and the conversations that might be heard there.
  • Change the device’s “wake word” from the default options, so the assistant won’t activate when you don’t mean for it to be in use.
  • Disable the microphone, especially if you are about to talk about anything you wouldn’t want someone else to hear.
  • Delete your old recordings. Almost all of the companies allow you to do this, but they won’t do it for you. Also, be aware that just because you have deleted the recorded audio, it doesn’t necessarily mean that you have removed all the data that has been collected by the device.
  • Make sure that your wireless network is secure. These devices can be hacked, just like almost all Internet of Things (IoT) devices.
  • Check the permissions you are allowing for any function or “skill” that you add to the device. For example, your street address and telephone number might be shared if using a skill for Uber or another ride-sharing or food delivery service.
  • Be careful adding functions from another developer that hasn’t been approved by the device manufacturer. Connecting the device to another IoT device or “skill” might be providing someone with the ability to be always listening and collecting your data.

Enjoy the holidays, and best wishes to all for a great 2020!

Filed Under: Uncategorized

You Think Your Physical Keys Keep You Secure?

November 1, 2019 by Walt Manning 2 Comments

Examining Keys

Introduction

Most of us have at least a few physical keys that we use every day.

Think about all the things you have keys for:

  • Home
  • Office
  • Cars
  • Family member’s home/car
  • Friend’s or neighbor’s home/car for emergency
  • Workshop
  • Secured storage
  • Padlocks
  • Lockers
  • Post office boxes

In addition to older traditional keys, we’ve added electronic key fobs that open our car door as we get within range or when we touch the door handle.

What about the new wireless locks that can be opened with your smartphone?

Do you use RFID cards or fobs that provide easy access to buildings or workspaces?

We’ve always depended on keys to keep us safe and secure.

But what if I told you that those keys might not be as secure as you think?

KeyMe

Let me tell you first about a company named KeyMe. You may have seen their kiosks in a retail store or visited their website at https://www.key.me/.

Here’s how the basic service works.

Let’s say you need an extra key:

  • Download the KeyMe app to your smart phone or tablet.
  • Place the key on a blank sheet of white paper and take a photo of both sides.
  • Send the image to KeyMe and they’ll mail you an exact copy of the key.

Or, you can take a physical key to any KeyMe kiosk, and the machine will duplicate the key while you wait.

KeyMe kiosks can take your RFID card or fob and create a small sticker that duplicates the RFID frequency. Then you can put the sticker on the back of your phone, and you’ll be able to open any associated door or lock.

You can share images of your keys with anyone via the KeyMe app, and they can also have physical copies of your keys made.

But as with all convenient technology, there’s the potential for abuse.

See a short television spot to see what the reporter was able to do with the service:

How burglars could get a copy of keys to your house by just using their cell phones

KeyMe kiosks only accept credit cards and have video cameras to document every transaction. An email address is also required, along with scanned fingerprints.

Can you think of ways to bypass these security measures?

It probably wouldn’t be very challenging.

But KeyMe is not the only risk to the security of your locks.

How Do You Feel About 3D-Printed Keys?

At a hacker conference, there was a presentation showing how to make a 3D-printed “bump” key that would open an estimated 90% of all cylinder locks. Bump keys have the same key blank profile as the lock, but work by “bumping” the pins in the lock so the key will turn the lock’s cylinder to open it.

In 2016, the Washington Post published photos of TSA master keys for luggage. Researchers (and hackers) were able to use 3D-printing to reproduce copies of the seven types of master keys.

TSA-Travel-Sentry-master-keys

Security experts have cloned all seven TSA master keys

Make your own TSA universal luggage keys

Are Hotel Room Locks Safe?

Hotel room locks that use RFID or magnetic strip key cards have been widely hacked, and many are still vulnerable.

The Hotel Room Hacker

Two hackers have found how to break into hotel-room locks

$50 Hacking Device Opens Millions of Hotel Room Locks

How Safe Are Your Wireless Keys?

You might be wondering about the security of your wireless car key fob.

These have also been hacked.

Just a Pair of These $11 Radio Gadgets Can Steal a Car

NICB Uncovers Car Theft ‘Mystery Device’

Wireless locks that operate on a Bluetooth low energy (BLE) signal have also been hacked. Many of these devices transmit the password (if there is one) in plain text, which can be easily intercepted and duplicated.

Have a smart lock? Yeah, it can probably be hacked

Hacking Smart Locks with Bluetooth / BLE

Ring’s smart doorbell can leave your house vulnerable to hacks (now patched, we think)

Hacker Takes Over ‘Smart Home’ by Hacking into Google Nest System

Final Thoughts

The security of any lock depends on the quality and design of the device, and the determination and skill of the person trying to open the lock.

This post isn’t meant to scare you, but you should not take the security of any device for granted.

Do your homework and choose your keys wisely!

Perhaps it’s time for new ones?

What do you think?

Filed Under: Uncategorized

Do You Know Whether Somebody Has Already Hacked Your Home Network?

September 22, 2019 by Walt Manning 4 Comments

Connected World

Nobody ever told me…

One of the most overlooked ways to hack into your home or small office network is the modem/router that likely provides your Internet connection.

Hundreds of thousands (if not millions) of Internet routers have been hacked.

In one test, security researchers analyzed 20 of the highest-selling routers and found that half of the devices had multiple security vulnerabilities, which didn’t even include configuration errors.

According to Bitdefender’s real-time monitoring, routers are one of attackers’ most targeted Internet-of-Things devices.

Most people receive a combination modem/router from their Internet Service Provider (ISP), but some people purchase their own. Even though you can have a separate modem and router, the majority of those provided by ISPs are combined into one piece of equipment. For the sake of simplicity, we’ll refer to this device as a router.

Wherever the device came from, most people never change critical settings that can make it very easy to hack.

Here’s where you start

The first, and probably the most important thing to change, is the primary login credentials to manage the device. Almost every router comes with a default User ID and password. In the setup guidelines (which many people never read), one of the first instructions given is to change these settings.

Most people never do, and this gives an attacker easy access to your router.

The default User ID for many routers is “admin,” with a password of “password.” Some routers come from an ISP with a label on the back that shows the password. The one we received from our ISP has a sticker on both the front and back of the router, to make access easier for the owner.

Leaving the default administrator credentials in place is not much different than having a front door without a lock. Attackers know the default login credentials for most routers, and use them to hack into these devices every day.

There is even a website that provides the default credentials for many routers (designed for people who reset their routers and can’t find the setup documentation that came with the device). To check the default information for your router, go to https://www.routerpasswords.com/.

When changing the administrator User ID, create something that contains a different User ID than you use for any other login. The administrator password also needs to be unique and not easily guessed. Password managers, such as LastPass, can help you to generate a unique and secure password, and then help you remember it by storing the administrator login credentials in the encrypted LastPass database.

According to a report from Tripwire, a cybersecurity firm, 46% of consumers and 30% of technology professionals never change their default router passwords.

You may be asking what someone could do with administrator access to your router. Here are just some of the possibilities:

  • The attacker can redirect your Internet connection to a web page that phishes for your account credentials.
  • A hacked router can take you to a web page that tells you to download software updates that may infect you with malware.
  • An invader can conduct what is called a “man-in-the-middle attack,” so they can see everything you do on what you believe is a secure and encrypted connection.
  • The hacked router can be hijacked to serve as a “bot” on a malicious botnet that can be used to launch Distributed Denial of Service (DDoS) attacks against websites, companies, or even government agencies.
  • The router can be used to attack other devices connected to your network, potentially providing access to any data stored on or transmitted by those devices.
  • If any Internet-of-Things (IoT) devices are connected wirelessly to the router, they could be taken over remotely to spy on anything within range. Think smart TVs, home assistants (Amazon Echo, Google Home, etc.), or other devices such as the intelligent Nest thermostat or the Ring doorbell.

The other important setting to change is the Service Set Identifier, or SSID, of your router that provides your wireless signal (some routers have more than one). The SSID is the name of your network that is broadcast to anyone that may want to connect.

Unfortunately, many routers come with a default SSID that shows the manufacturer and the model number of the router. Using routerpasswords.com and other resources, it’s very easy to look up the default administrator login credentials to see if they still provide access.

If the router provides the capability of multiple Wi-Fi networks (many routers can have several), make sure to change the access passwords to connect to each of these networks.

Lots of routers today have at least two frequencies: a 2.4 gigahertz band and a 5 gigahertz band. If you have a router with these frequencies, they can each have a different name and connection password.

There are some fundamental differences between the two frequencies. The 2.4 GHz band is probably used by other appliances or devices in your home or office. For example, most older cordless phones, garage door openers, and baby monitors use this frequency. One of the reasons it is more widely used is that the signal travels farther and transmits better through walls to provide enhanced coverage.

If someone outside is scanning for nearby Wi-Fi signals, they are most likely to see your 2.4 GHz signal as available for a connection.

The 5 GHz band is not currently used much by other devices (although this may change with the addition of more Internet-of-Things devices) and does not transmit as far as the 2.4 GHz band.

Some security professionals suggest that using the 5 GHz band may be more secure, just because someone in your neighborhood may not be able to detect it and try to connect.

Name each of your wireless network segments with different SSIDs that are something not identifiable with you or your location. Naming an SSID as “Walt’s Network” or leaving a default SSID as the model of your router is not a good idea. Give each a unique name, so they can’t be easily associated with the same router.

Many of the better routers will allow you to create different wireless segments and give you the capability to limit the use of individual segments by user or device, with a different password for each one.

Examples of why this is useful would include creating a “guest” segment for visitors who do not need permanent access to your network. Another use might be only to allow the Internet-of-Things (IoT) devices to connect to a separate network segment.

I would recommend creating a secure encrypted note in your password manager that contains all of the information about your router (manufacturer, model number, serial number, default User IDs and passwords, along with the new ones you generate to improve the security of the router). This might come in handy in the future.

You will also want your router to use the most up-to-date encryption, which is currently WPA2.

Finally, check for firmware updates. Firmware is the embedded software that controls everything on your router. Users can’t delete the firmware, but it can and should be updated. Similar to software updates on other devices, firmware updates fix security and software problems that have been identified for the router. Firmware updates should be available from the router manufacturer’s website.

If you are not able to update the router’s firmware, it’s probably time to replace it with a more updated (and secure) model.

Are There Other Options?

If you’re interested in exploring more secure routers or other devices that will protect your home or small office network, consider the following, but do your research before deciding what might best serve your needs:

The F-Secure Sense Security Router – https://www.f-secure.com/en_US/web/home_us/sense

The Bitdefender Box 2 Smart Home Cybersecurity Hub – https://www.bitdefender.com/box/

Dojo, by Bullguard – https://dojo.bullguard.com/dojo-by-bullguard/

The Pepwave Surf SOHO router – https://www.peplink.com/products/pepwave-surf-soho/

The Norton Core Router – https://us.norton.com/core

There are other settings and best practices related to router security that can improve your safety even more but are beyond the scope of this post.

For additional information, go to:

https://routersecurity.org

Conclusions

While improving the security of your router(s) won’t protect you from every threat, if you follow these recommendations, you will have done more than most to reduce some of your techno-crime risks.

If you’re interested in more tips to increase the security of your smart home, we’ve published a free Smart Home and Mobile Device Security Checklist that is available in the Free Content Library on our website at https://technocrime.com/free-content-library/.

Let me know your thoughts about this topic, and if you have other recommendations to share, please leave a comment.

Filed Under: Uncategorized

Did You Know That Even If You’re Not A Suspect, Your DNA Could Be Used As Evidence In A Crime?

August 5, 2019 by Walt Manning 1 Comment

DNA Investigations

This new technology is solving decades-old cold cases

DNA has been used to identify suspects in hundreds of thousands of criminal cases since the 1990s. The national criminal database, CODIS, currently contains the genetic data of over 13 million people, along with fingerprints and other biometric data collected by law enforcement.

Although the FBI is the only federal agency authorized to maintain a national DNA database, many states, and even local law enforcement agencies, have also begun to collect DNA and maintain their own databases.

But did you know that even if you’ve never had a DNA sample collected by a law enforcement or government agency, today your DNA might be involved in a criminal investigation?

The use of familial DNA searches, the process of examining and comparing the DNA of people who might be related to a suspect, is being used by law enforcement to solve a significant number of criminal cases.

Some of these are cold cases that have been open for decades.

The National District Attorney’s Association describes familial DNA search process:

“Familial searching is a technique whereby a crime scene profile is deliberately run through the offender databank in the hopes of getting a list of profiles that are genetically similar to the DNA evidence and using this information as an investigative lead to interview family members of the near matches.”

DNAForensics.com provides more details about the process:

“When a DNA profile is obtained from a crime scene and that profile is passed through the FBI’s electronic program, the Combined DNA Index System (CODIS), a perfect hit will be obtained if all 26 alleles match a DNA profile in the database, indicating that the DNA sample is from the same person. But if a partial match occurs on at least 15 or more alleles then this could indicate that a close relative left the sample at the crime scene. A relative whose past conviction or arrest required him to provide his DNA can now send another family member to prison.”

(An “allele” as referenced by DNAForensics.com is a variation in a gene that is found in a specific spot on a chromosome, which, as I understand it, is a molecule containing all or part of a person’s DNA.)

Also see:
https://www.nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

By expanding this process to include DNA data from other public sources and private companies, investigators now have the ability to go beyond the data contained in criminal databases in order to help identify suspects.

Perhaps the most notable example solved with this new technique is the California case of the Golden State Killer. A double murder occurred in 1980, and the suspect left DNA evidence at the crime scene. But investigators couldn’t match the DNA to any record in a criminal database, and without additional information, there weren’t any other leads.

Millions of people have submitted DNA samples to companies in the genetics industry to discover their ancestry or to see whether they have genetic markers that might indicate a higher potential for some diseases.

In addition to the information given to the customers, the genetic databases are valuable to medical researchers. The data can potentially be used to find the genetic causes of various diseases and medical disorders, which could lead to cures.

The resulting databases of genetic information contain millions of records from people who are not contained in criminal databases. This data is now being used by law enforcement, even though the people who submitted samples may not have been aware that law enforcement would have access to these records.

In April of 2018, investigators uploaded the DNA evidence related to the Golden State Killer to an open-source, public genealogy website named GEDmatch. With an account, anyone can see genetic data without a court order, usually when looking for unknown or distant relatives.

After setting up a fake profile account on the service, investigators used the same type of familial search and were able to match the unknown suspect’s DNA with possible relatives. By following the known family tree, investigators used more traditional investigative techniques, such as eliminating people by age, death, known locations, and gender to narrow down the list of potential suspects.

The data provided by this new field of familial genetics forensics identified the suspect, Joseph James D’Angelo. An ex-police officer, D’Angelo is a possible suspect in 13 murders, 50 rapes, and over 100 burglaries committed between 1974 and 1986. Even though D’Angelo was later cleared of the double murder charge (also after further DNA analysis), he still faces charges in the other crimes.

In the past year, over 50 other cold cases have been solved using this method.

Just recently, a Washington state court ruled that the use of familial genetics evidence that identified a suspect from another cold murder case could be admissible in his trial. After the initial DNA analysis from the crime scene was uploaded to GEDmatch, the database produced a match with a pair of second cousins to the DNA sample. A genetics forensics expert then reviewed the family tree and looked through newspaper articles, obituaries, census records, and even social media posts to follow the family tree leads. Her analysis targeted a male suspect, William Earl Talbott II.

Based on the DNA analysis, investigators placed the suspect under surveillance and collected a cup that the suspect had thrown away. His DNA was taken from the container and used for a direct comparison with DNA from the 1987 murder. The DNA matched.

However, with no other corroborating evidence, it will be up to the prosecutors in the case to determine whether the DNA analysis alone is enough to obtain a conviction.

The success of familial genetics forensics will only increase with the data volume as the number of customers grows. Private genetics companies have databases that contain millions of genetic profiles. GEDmatch (which is public) includes over 1.2 million records. Family Tree DNA has approximately another million profiles. But the more prominent players in the industry have much larger databases (23andMe – 10 million and Ancestry.com – 15 million records). The terms of service for each organization are different related to law enforcement access, which complicates the situation even more.

Should You Think Differently About DNA?

You could make an argument that DNA is different from other types of biometric data. DNA is what makes you uniquely you, but unlike other biometrics such as fingerprints, iris scans, or face prints, parts of your DNA are shared with people related to you.

Consider the possibility of an innocent person whose DNA resembles the DNA found at a crime scene being questioned about other family members.

  • How many people would be comfortable in this scenario?
  • Would everyone agree to his or her DNA records and other related information being reviewed by law enforcement during a familial genetics investigation?
  • Do individuals have a right to be concerned about the privacy of their biometric data?
  • What about the security of digitized biometric data, and what would the possible consequences be if that data were stolen?

What Do You Mean There Are No Laws Regarding DNA?

There are currently no federal or state laws addressing the ownership of an individual’s DNA. Customers need to review the laboratory’s or company’s terms of service and privacy policies for this answer and many other issues.

The prevailing practice is that once a sample is submitted for analysis, the individual owns the sample until it is processed. Once processing is complete, the lab or company where it was sent owns the data.

Once ownership has transferred, the person who submitted the sample has no control over what the data is used for, how it is shared, or to whom it is sold.

There are no regulations about how your DNA might be used, and for what purpose.

Possible consequences might include:

  • Being turned down for insurance coverage due to something in your DNA.
  • In the United States, the Genetic Information Nondiscrimination Act (2008) prohibits unfair treatment related to medical insurance but does not address how life, disability, or long-term insurance providers may act.
  • How might DNA markers indicating intelligence be used?
  • Could your DNA become part of a pre-hiring due-diligence review?
  • Some researchers want to link DNA profiles to income and other data to look for correlations. Even though this might produce interesting results, could this type of data also result in discrimination?
  • Could the ethnicity and/or race markers from full DNA profiles be used in a discriminatory fashion?
  • What would the impact be in situations where the suspect was adopted?

Should law enforcement have unrestricted access to your DNA?

Some legal experts think that access to DNA profiles by law enforcement is a violation of the Fourth Amendment, and should require either a search warrant or a court order to access.

In other cases, courts have ruled that if people voluntarily provide information (or a biometric sample) to a third party, they have waived their right to privacy.

Some of the commercial genetics companies restrict access by law enforcement in their terms of service to cases involving only murder or violent crimes, but there is no consistency from service to service.

The DNA usually collected from people arrested by law enforcement doesn’t typically include a full profile like the ones produced by the genetics firms, and doesn’t include things like physical characteristics or medical/genetic disorders.

There is a growing debate about providing these more detailed profiles to law enforcement. Andrea Roth, Director of the University of California Berkeley Center for Law and Technology, said: “All the Supreme Court decisions about why existing offender databases don’t violate Fourth Amendment rights are all premised on the presumption that nothing personal can be gleaned from this junk DNA. Now that’s all up in the air. I think the bottom line is now everybody is about to be under genetic surveillance one way or another, unless we regulate the government’s ability to conduct genealogy searches.”

The counter-argument to this view is that familial genetics forensics has identified extremely violent criminal suspects who avoided detection for years (if not decades).

But what about the privacy of a criminal suspect’s relatives, and the fact that they could be considered as potential suspects in a crime they had no part in? In using DNA and genealogy to build family trees, even people who have never submitted a DNA sample might now be included in the suspect pool.

As you can imagine, there are lots of arguments about this process, and no legal precedents to give definitive answers.

Conclusions

The legal and privacy issues surrounding this new practice of familial genetics forensics raise many questions. Inadequate law, lack of regulations, inconsistent terms of service, the ability of customers to “opt out,” and practices involving the use of DNA by law enforcement are all factors that need additional discussion.

I’m sure a high percentage of people who’ve sent their DNA to one of the genetics companies were never explicitly told that their profile might be involved in a criminal investigation. Perhaps more transparency from the firms to make this clear would help, but they don’t have much incentive, and there are no regulations that require this type of notice.

People might also have second thoughts about submitting a DNA sample to one of these companies if they realized all the ways that their DNA data might be used or sold.

It’s becoming even more complicated when you consider how often private companies and government agencies are collecting biometric data at all levels.

Do we need laws or regulations about privacy for this type of data?

Or should there be no restrictions, since the owners of the commercial services now own the data related to the customer’s DNA, and can use it however they please?

On the other hand, after over 20 years in law enforcement, I recognize the need to be able to identify and arrest criminals, especially in violent cases, because without this technology they might escape responsibility for their crimes.

An article entitled “A Great Time to Be a Cold Case Detective — If We Can Use The Tools,” by Cloyd Steiger, Chief Criminal Investigator of the Washington State Attorney General Homicide Investigation Tracking System, expresses it well:

“I suggest lawmakers and lab administrators who are reluctant to use these techniques sit in a room and look into the dead eyes of a mother who lost a child to murder years ago. Explain to her that using this technology is a bad idea.”

There’s no argument about the value of this new source of evidence gathering. But we all need to work together to make sure that the legal and privacy issues are addressed, and that the chances for unintended consequences, misunderstandings, and abuse are resolved.

What do you think?

Filed Under: Uncategorized

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next Page »

Evolve With Us to Fight Techno-Crimes!

Join our mailing list and you will receive:

  • Immediate access to our mini-course!
  • Updates about new types of techno-crimes
  • Information about security tools and techniques to protect your data
  • Ways to increase your personal privacy
  • Information about our live and virtual keynote speeches and training opportunities

 

Click here to subscribe!

  • Home
  • About
  • Speaking
  • For Investigators
  • Blog
  • Free Content Library
  • Contact

2020 Techno-Crime Institute